Sunday, January 8, 2017

Seeing that Sundown EK have evolved lately I got curious and wanted to take a look at what new trickery this EK had come up with.
I looked at it when it started to rise last summer, but back then it was not very adwanced and looked to had stolen most of the code from other EK's.

But several have mentioned lately that it had started to use stegonografy and also weaponized with new exploits.

So lets see under the hood of Sundown EK anno 2017

For reference I have added the output from wireahark showing what was requested from the client. So it will be easier to see what actions have been taken by the EK code. More details over at malware-traffic-analysis.

Landing - As always some obfuscation trickery

Landing - Deobfuscated

Finally we have something we can read and try to understand.

The landing seem still to spray out what ever its got and hope that something will stick to the client.

3 Flash files are set for download and a mysterious image.

Landing - Flash 1

Code for loading the flash file. At the bottom we also see the url for the payload. We can confirm that this flash was successfully run as we also see from wireshark that the payload url was requested from the client.

Payload - encrypted and in clear

Epilogue

Encryption of payloads have started. Maybe sundown will discontinue the clear text download of payloads in the future.

Using Stego is at least a cool feature.

Sundown still seem to be gready and just throws all exploits it got at you, hopes that something will be successful and downloads payloads in various formats after that.

As @Kafeine reported new exploit added recently. Maybe there will be a fight between Sundown and Rig for the EK throne in the weeks and months to come?

Todo: look more into the flash files for details. Out of luck finding the newly announced exploits so I guess I need another go soon.

No Python coding needed for this task(RC4 decryption only, but that code was on disk already) so we have to fill the void with som diffrent Python: Monty Python. Nice to blog so I could look through some old stuff again. What better than the TrojanRabbit? Enjoy!